I've set up our IS4 Server with google. Everything is working for login. Now there is an issue that I just can't seem to resolve. When using google it provides me the username as a number. Which is as expected. How do I get a proper Display Name for when the user is logged in? what is the proper approach? Right now I am using IdentityServer4.Extensions.PrincipalExtensions.GetDisplayName() to display the name and it is showing the GoogleId
Related
is there a way to user your custom React GUI with oidc-client-js? I know that if you trigger authentication endpoint using:
// PopUps might be blocked by the user, fallback to redirect
try {
await this.userManager.signinRedirect(this.createArguments(state)); //Shows midleware login form
return this.redirect();
} catch (redirectError) {
console.log("Redirect authentication error: ", redirectError);
return this.error(redirectError);
}
Middleware will try to render its predefined login form:
However I have my own React form and I only need to pass to OICDClient params (email,password) and get back User instance to display UserName etc. Something like:
var loggedUser = await this.userManager.signinCustom(state.loginEmail, state.LoginPassword); //Login using credentials
I don't want to write all the logic by myself I really want to use all functionality from OIDCClient - only with my GUI (loginForm, registerForm, updateUserForm etc).
I'm using scaffolded library from MSDN using command:
dotnet new react -o <output_directory_name> -au Individual
Is there any method/implementation to initialise oidc-client-js from React components and not user default GUI forms?
Thanks a lot!
I might be missing some thing but the whole idea of using a 3rd partly federated auth provider be it your own/your company's SSO (say developed using Identity Server 4) or say Google sign in(say using their Firebase JS kit) or Microsoft sign in, Facebook sign in etc. is that you will be redirected to their authentication endpoint where you then use say your google credentials (if you are using google sign in for example) to sign on to google auth servers. Once you do that then a payload (consisting of an identity token and access token) is returned back to your redirect URL which you must configure for your specific app.
By saying you'd like to provide your own sign-in form you are missing the entire point of using a 3rd party authentication provider. Besides, you/your app shouldn't know about user names and passwords and you don't want to have access to all that information. All that you should be interested in knowing whether the user, who are using one of the federated authentication providers, that you would have configured for your app, are who they claim to be and you then delegate all that heavy lifting to your 3rd party authentication provider.
Besides, say your company has a SSO system of their own then all your company's app will use that SSO system and from a UI perspective you want to show the same login screen so as to give a consistent user experience.
In addition, if you show me a google authentication button and then on clicking that button you show me some weird form that doesn't look like the typical google picklist sign-in form then I'll shut down your app before you can say hello, and, I suspect most user would (and should) do the same. The reason being that when you show me a google sign-in page then I know that you/your app will only get back what you need and I wouldn't ever entrust my google user name and password to any other application.
If you really want to have your own authentication form then you'll have to manage user names and passwords yourself, the way we used to do things probably over 10+ years back.
If you decide to go the route of setting up your own authentication system and then say use identity server 4 then yes you can certainly change the UI and customize it to your heart's content, but that will happen at the server level, not at the level of your react app. Point being that in any SSO system the user will be redirected to the that auth provider's endpoint where they then authenticate (and, optionally, provider permission for your app to use certain claims) and once they do that they they are redirected back to your redirect endpoint with a payload (JWT token).
Lastly, even if you could some how wire up a client side sign in form, I'm not sure you would want to use it. Passing passwords & user names over the wire isn't a good idea. You'll always want to use a server rendered sign in form.
Context
I'm developing a browser application that uses msal.js library to allow Azure Active Directory accounts to access our website. The application has the clientId and the scopes properly set and it uses loginRedirect and acquireTokenSilent successfully.
Problem
The issue I'm facing is that I'm unable to keep the session open because I don't see the Keep Me Signed In message (KMSI) so I can not answer 'YES' and make the AADSSO cookie persistent. For that reason after the login process, if the browser is closed I need to log in again.
Expectation
If I'm redirected to microsoft login from my website using msal.js library, I expect to see the KMSI message to enable persistent session (which for some reason I can see if I go directly to login.microsoftonline.com)
Sorry for the spanish: It says Do you want to keep the session open? No / Yes
Question
How can I enable KMSI with msal.js ?
The cause of not seeing 'Keep me signed in' login message when using msal.js is because when the library builds the URL to perform the login, it contains a query string item called x-client-Ver that changes the microsoftonline.com login flow.
If you remove that item from the URL (&x-client-Ver=1.1.3 for example), you can see the 'Keep me signed in' message.
The solution is to manually patch the library removing this until Microsoft fixes it. Like that: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/982/commits
Hey I am a beginner in React and Graph.
To explain, I have to create a little web site in React using Microsoft Graph to get Active Directory data ( like all the users and their information of the company which uses AAD ).
I am actually a little lost of how I can get this list of users.
Can you help me ?
Once logged into your app that have proper access right to read all users data, you should be able to retrieve users with a http get on that url
GET https://graph.microsoft.com/v1.0/users
Don't forget to add bearer token in your HTTP headers.
To get users in azure AD, you can call the List Users GET HTTP request.
GET https://graph.microsoft.com/v1.0/users
To get the number of users returned you can use the $top query parameter to specify the page size of the result set. See docs here.
https://learn.microsoft.com/en-us/graph/query-parameters#top-parameter
GET https://graph.microsoft.com/v1.0/users?$top=200
I am trying to display the name of my website on AuthO popups. No issues with Facebook, Twitter or GitHub auth. But Google's popup keep showing 'Sign in to continue to projectName.firebase.com' Instead of 'example.com'.
I mean it shows firebase's default domain instead of custom one.
Even if I change display name to some custom name in console.developers.google.com.
In the newest version of Firebase user guide they explain how to fix this, by pointing authDomain initialization property to your domain, and making a few other preparations: https://firebase.google.com/docs/auth/web/google-signin#customizing-the-redirect-domain-for-google-sign-in
Create a CNAME record for your custom domain that points to your project's subdomain on firebaseapp.com:
auth.custom.domain.com CNAME my-app-12345.firebaseapp.com
Add your custom domain to the list of authorized domains in the Firebase console: auth.custom.domain.com.
In the Google developer console or OAuth setup page, whitelist the URL of the redirect page, which will be accessible on your custom domain: https://auth.custom.domain.com/__/auth/handler.
When you initialize the JavaScript library, specify your custom domain with the authDomain field
Update: one important detail that's missing from the instructions is that the custom auth domain must be configured for Firebase Hosting (i.e. add it to the list of custom domains for Hosting on the Firebase Console). Otherwise you will get a certificate mismatch error as #AmritanshSinghal correctly points out.
Ok, for those following these instructions and running into issues, I have two other pieces of advice.
In the Google developer console or OAuth setup page, whitelist the URL of the redirect page, which will be accessible on your custom domain: https://auth.custom.domain.com/__/auth/handler.
This was really confusing to me. Here is where to do that.
Once you do all of this, you'll then get a CERT failure. Follow the instructions on this stackoverflow issue, wait a few hours, and everything will magically work!
Good luck!
I have set up the custom login page for my application using the following resource.
http://brianpeddle.com/2011/06/06/building-a-custom-salesforce-login/
However this approach requires security token for each user if the user is in untrusted network and the security token changes when user reset password.
How can I set up so that I allow multiple user login from this page? Currently only I can think of is have an extra input box so that user past the security token along with username and password. I wonder if salesforce allow javascript to grab security token dynamically for each user
OAuth2 is a security implementation that allows users to access their Salesforce data without having to enter their user/password in an untrusted application or do nasty token management themselves.
Salesforce has a guide on how to implement OAuth2 for web sites. It can be difficult to set up if you don't have any experience with OAuth2, but there are plenty of guide available.
I would also recommend using something like Firefox's RESTClient addon (or something like it) to test the use of OAuth2 to get a feel for authenticating against Salesforce .
Are you sure you have white listed the IP?
I strongly belive if you get the IP of server where your custom login page is hosted and put that in list of white listed IP's then User will not required to enter their security token.
to find the ip of your server(where your page is hosted)
- try to login with your custom login page
- login into SFDC and go to setup -> user profile-> login history
there you will see last login from IP
Copy above IP and
Again go into Setup -> Security control -> Remote site setting
and add above copied IP.
this way SF will not required security token when user is login from that IP.
http://ap1.salesforce.com/help/doc/en/configuring_remoteproxy.htm
Use this code for just login:
https://login.salesforce.com?un="+username+"&pw="+password+"&startURL=/apex/somepage